Solaris 8 Kerberos / Ldap Client Setup

Douglas E. Engert deengert at anl.gov
Fri May 15 10:15:57 EDT 2009 

I don't thing your problem is Kerberos, but rather nss and pam finding
the account. Could also be telnet issues too.

Matthew.GARRETT at external.total.com wrote:
>  "Douglas E. Engert" <deengert at anl.gov> wrote on 14/05/2009 20:13:25:
> 
>> Matthew.GARRETT at external.total.com wrote:
>>> Folks 
>>>
>>> I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap 
> instead 
>>> of using NIS 
>>>
>>> Ldap works fine e.g getent passwd 
>>> Displays the LDAP Pasword entries 
>>>
>>> Kerberos: 
>>> Doing a kinit USERNAME , works fine if I am logged on to the console 
> as 
>>> root user 
>>> So would seem that /etc/krb/krb5.conf is configured correctly. 
>>>
>>> I have changed /etc/pam.conf to use krb5 
>>> other   password sufficient     /usr/lib/security/$ISA/pam_unix.so.1 
>>> other   password required       /usr/lib/security/$ISA/pam_krb5.
>> so.1 use_first_pass 
>>> # 
>>>
>  Adding debug does not seem to generate aany more details.
> 
>> Try adding debug as a param on the above line.
>>
>>> However when I try and login as a normal user /var/adm/authlog shows 
> the 
>>> following error's 
>>>
>>> May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - 
> 
>>> debug = 1
>> First of all you should not use telnet, as the password maybe sent over
>> the network in the clear. Consider using ssh.
> 
> Normaly we do use ssh but for testing turned on telnet
> In case ssh was causing problems.

> 
>>> No account present for user
>> This says it can not find the account, so there is some issue with
>> the user account or the nsswitch.conf finding ldap, or how telnet is
>> passing in the username.
>>
>  
>> add debug options to the pam.conf entries.
>>
>> We don't have any Solaris 8 anymore but when we did, we did not use the
>> Sun version of Kerberos or pam_krb5. We have uses MIT Kerberos and 
> various
>> pam_krb5 modules. (On Solaris 10 the Sun Kerberos, ssh and pam_krb5 
>> work well.)
>>
> Now that bit is intersting , maybe Solaris 8 stock version of Kerberos is 
> broken.
> I will download the latest version and see if that makes any differance.

The Solaris 8 Kerberos may work fine in your situation. We where running Kerberos
long before Sun implemented it. Sun did not expose the API in 8 and 9.  We also
use Windows AD as the KDC, which if I recall had issues.  So we kept running the
MIT versions on 8 and 9.

> 
> Matt
> 
> 
> Registered in England and Wales No.811900          
> Registered Office 33 Cavendish Square, London W1G 0PW
> This e-mail and any attachments are intended only for the person or entity
> to whom it is addressed and may contain confidential or privileged
> information.  If you are not the addressee, any disclosure, reproduction,
> copying, distribution, or use of this communication is strictly prohibited.
> If you are not the intended recipient or person responsible for delivering
> this message to the named addressee, please notify us immediately and delete
> this e-mail.
> It is the responsibility of the addressee to scan this email and any
> attachments for computer viruses or other defects.  The sender does not
> accept liability for any loss or damage of any nature, however caused,
> which may result directly or indirectly from this email or any file attached.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list